diff --git a/pkg/userdata/generate/generate.go b/pkg/userdata/generate/generate.go
index 4c55bce88..3ac69d124 100644
--- a/pkg/userdata/generate/generate.go
+++ b/pkg/userdata/generate/generate.go
@@ -240,14 +240,22 @@ func NewInput(clustername string, masterIPs []string) (input *Input, err error)
 	}
 
 	// Generate Kubernetes CA.
-	opts := []x509.Option{x509.RSA(true), x509.Organization("talos-k8s")}
+	opts := []x509.Option{
+		x509.RSA(true),
+		x509.Organization("talos-k8s"),
+		x509.NotAfter(time.Now().Add(8760 * time.Hour)),
+	}
 	k8sCert, err := x509.NewSelfSignedCertificateAuthority(opts...)
 	if err != nil {
 		return nil, err
 	}
 
 	// Generate Talos CA.
-	opts = []x509.Option{x509.RSA(false), x509.Organization("talos-os")}
+	opts = []x509.Option{
+		x509.RSA(false),
+		x509.Organization("talos-os"),
+		x509.NotAfter(time.Now().Add(8760 * time.Hour)),
+	}
 	osCert, err := x509.NewSelfSignedCertificateAuthority(opts...)
 	if err != nil {
 		return nil, err
diff --git a/pkg/userdata/v1alpha1/generate/generate.go b/pkg/userdata/v1alpha1/generate/generate.go
index 1a0a7f8d1..16139b3ce 100644
--- a/pkg/userdata/v1alpha1/generate/generate.go
+++ b/pkg/userdata/v1alpha1/generate/generate.go
@@ -13,6 +13,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"time"
 
 	"github.com/talos-systems/talos/pkg/constants"
 	"github.com/talos-systems/talos/pkg/crypto/x509"
@@ -252,14 +253,22 @@ func NewInput(clustername string, masterIPs []string) (input *Input, err error)
 	}
 
 	// Generate Kubernetes CA.
-	opts := []x509.Option{x509.RSA(true), x509.Organization("talos-k8s")}
+	opts := []x509.Option{
+		x509.RSA(true),
+		x509.Organization("talos-k8s"),
+		x509.NotAfter(time.Now().Add(8760 * time.Hour)),
+	}
 	k8sCert, err := x509.NewSelfSignedCertificateAuthority(opts...)
 	if err != nil {
 		return nil, err
 	}
 
 	// Generate Talos CA.
-	opts = []x509.Option{x509.RSA(false), x509.Organization("talos-os")}
+	opts = []x509.Option{
+		x509.RSA(false),
+		x509.Organization("talos-os"),
+		x509.NotAfter(time.Now().Add(8760 * time.Hour)),
+	}
 	osCert, err := x509.NewSelfSignedCertificateAuthority(opts...)
 	if err != nil {
 		return nil, err